Security Awareness Training across an SMB Organization

Anastasia, IT Security Researcher at Spin Technology
Anastasia, IT Security Researcher at Spin Technology Mar 20, 2019

Despite all the technological solutions to any problem in today’s world, there is always the human-factor to consider. The best technology cannot account for the actions and specifically the mistakes that humans can make which may totally undermine the solution that technology provides. This is especially true in the world of security. The best security defenses can be totally compromised by a single individual making the wrong decision, either accidentally or knowingly.

When considering a fully-featured and well thought out security plan, the human factor is an extremely important part of the equation, and arguably just as important as the technology component of the solution. In this article, we will take a look at cyber security awareness across an SMB organization.

Why is the “human factor” an extremely important part of the security equation? What are some of the more dangerous cybersecurity threats that employees need to be aware of? How can organizations successfully create awareness to today’s various cybersecurity threats? How can a good mix of security awareness and technology provide the ultimate solution? Let’s take a look at these and other important questions in helping to bolster security awareness across an SMB organization.

Why Security Awareness Training is Essential

With all of the security technology and cybersecurity solutions available today, why is security awareness training essential for employees across an SMB organization? The truth of the matter is that despite advanced cybersecurity technology solutions and mechanisms, uninformed and untrained users can do a tremendous amount of damage to security efforts inside the network by certain risky and otherwise damaging behaviors. What do some of these dangerous behaviors include? It can include a wide variety of things, but specifically some of the more dangerous are visiting risky websites that are infected with malware including ransomware, responding to or clicking links inside of phishing emails, unwisely storing credentials in unsecured locations, or inadvertently releasing sensitive information that is requested in social engineering attacks.

Security awareness training can help to educate end users on the various ways attackers utilize to compromise end user systems. Helping to educate them on what potential attacks look like can go a long way in helping to bolster security of internal systems. The popular saying of “an ounce of prevention is worth more than a pound of cure” certainly applies here. Heading off an attack before it ever happens is certainly much more effective than remediating attacks after they have been allowed to happen by an end user.

What are some of the items that should be included in security awareness training that end users should be exposed to? As mentioned, there are several different ways that attackers can use to compromise end user systems. Security awareness training needs to train employees effectively on how to recognize what different attacks look like in the following areas:

  • Email Security
  • CEO Fraud
  • Desktop Security
  • Password Security
  • Web Security
  • Wireless Networks
  • Malware including Ransomware
  • Physical Security

What are some of the key takeaways for security awareness in the above-listed areas

Email Security

By far, one of the primary ways that employees can place an organization at tremendous risk is in regards to email security. Despite many other advanced communication tools in use by organizations today, email is still the primary means that most employees utilize for business communication. It is the de facto standard for exchanging information inside the corporate world.

Attackers have long realized the value of email inside a corporate network and have leveraged this threat vector for decades. Despite the many other advanced means of infiltrating networks, utilizing emails as a threat vector is still a favorite for attackers. It is easy, effective, and can get them inside a network or compromise an end user system in no time. There are two primary types of emails that attackers use to infiltrate an end user system or compromise credentials or other sensitive or otherwise protected types of information – phishing emails and emails with embedded malicious links.

Phishing utilizes emails to entice end users to click links with the purpose of harvesting personal information or system information under the guise of a legitimate purpose. This is an age-old tactic that is still surprisingly very effective with unsuspecting end users. Attackers are getting much more proficient at making the email look extremely legitimate including logos and other information. The information the attacker is looking to gain could be login information, names, titles, phone numbers, banking information, or many other types of personally identifiable information.

Security awareness training can help end users to effectively identify a phishing email in various ways. Helping to instill in the end user the sense of caution that needs to be exercised when scrutinizing any email that may have the slightest hint of being illegitimate or malicious. In fact, a good approach is to help end-users to view all emails as potentially malicious or illegitimate until proven otherwise.

Malicious Links can be links that attempt to run scripts or other malicious payloads on the end-user workstation visiting the link. There are many types of malicious payloads the attacker may be trying to drop on the end-user workstation. These can include viruses, trojans, worms, spyware and adware. However, the most alarming of the malicious payloads that can potentially be delivered to an end-user is ransomware. Ransomware is perhaps the most alarming type of malware in existence today as it slyly and maliciously encrypts end-user data until a “key” is purchased with a ransom amount to decrypt the data.

The ransomware threat is not going away any time soon. Attackers are still heavily utilizing ransomware infection as a means to hold data hostage, extort money from organizations, and to even cover their tracks of infiltrating various servers, etc. Again, email is an easy way for attackers to have inside access to an unsuspecting end user who may click on a “weaponized” link and inadvertently infect their device with the potentially alarming ransomware infection.

The damage path of ransomware can be quite large since it not only infects the end-user device but also can “crawl” the network, infecting network drives and other attached storage resources the end-user may have access to. The worst-case scenario with ransomware is an end-user may have a large number of business-critical network drives mapped that result in all of these being encrypted with ransomware via the single infection on the end-user device.

Helping end-users to fully understand the potential “fall out” from a ransomware infection can go a long way in increasing the level of vigilance when it comes to scrutinizing email for suspicious links and other warning signs that need to be taken seriously before blindly clicking email links as soon as they appear.

CIO Fraud

While CIO Fraud is often carried out as part of email phishing and spear phishing activities, it is unique enough to separate off into its own topic since it is an ever-growing threat that employees are faced with. What is CIO fraud? An Attacker sends an email posing as the CIO of the business. They can often obtain this information via various social media channels and scraping information from CIO profile pages and other feeds.

A specific email is then sent using the information gathered from this reconnaissance of social media to an unsuspecting employee that may be in a position to transfer money or make purchases. The “CIO” in the email may request the employee transfer funds via such things as wire transfers, etc. By playing on human nature here to quickly please those in high-ranking positions, employees often fall for the ruse as they are blinded by the thought of who is behind the request rather than scrutinizing the request further.

With CIO Fraud, unsuspecting employees have unwillingly transferred thousands of dollars in funds at the direction of what they assumed was a legitimate request from a C-Level executive.

Security Awareness training greatly improves the chances that employees are not blindsided by this type of illegitimate request and helps them to recognize the signs of a fraudulent request. Simply helping employees ask themselves simple questions such as “Would my CIO really send an email asking for this type of funds transfer?”, or “Have I ever been asked to do anything like this before?”. Additionally, helping employees know that it is ok to reach out to the C-Level executive and confirm a request if there is any doubt as to whether or not it is legitimate. C-Level executives would much rather be inconvenienced by confirming a request than have to deal with the repercussions of a massive transfer of funds that was unauthorized.

Desktop Security

Desktop security is another highly important area of end user security awareness that organizations do well to address with training. Desktop security involves some very simple security areas to note for end users who have a desktop, laptop, or other company assigned client device. In particular with desktops/workstations, employees need to be trained to secure their login session any time they walk away or otherwise leave the session unattended.

The best way to do this is to “lock” the workstation when getting up to leave it either physical or in an unattended way. This ensures that someone could not simply walk up and see what is displayed on the screen, including potentially sensitive information. If a workstation is left unattended and logged in without being locked, anyone can simply sit down and “assume” the identity of the worker who got up and left the station. All files, access, and other permissions are now compromised.

Desktop Security is an extremely important area of security awareness that must be addressed properly with employees, educating them on the potential dangers and risks associated with company data, unauthorized use of permissions, etc.

Password Security

The password is the primary authentication mechanism still used in environments today to verify identity. Generally, a username must be specified that is assigned by the company, then the password is a user supplied string of letters, numbers, and other characters that allow successful authentication. Organizations today generally use some type of “password policy” which specifies what characters and combinations of characters should comprise an acceptable password. Common authentication solutions such as Microsoft’s Active Directory have password policy mechanisms that can enforce the company decided password policy for an acceptable password.

Despite the technology solution that may be used to enforce password policies, password security should be a part of security awareness training that helps employees understand the characteristics that make up a good password and how they can perhaps generate these. There are definitely loopholes to many password policies that are implemented via a technology solution. Often it is found that employees may simply change the number on the end of the same password they have used for months or even years. Even if the password began as a relatively strong password, simply changing the character on the end with each password change is not a good practice.

Another simple yet highly dangerous action an employee may be guilty of is writing down passwords and storing them in close vicinity of their workstation if not in plain sight or stuck to a monitor or underneath a keyboard. This is extremely dangerous and can lead to environments easily becoming compromised. Helping employees understand the risks in doing this is extremely beneficial.

Again, security training can help end-users understand the need for strong passwords and how these can be successfully implemented. If employees are better informed and trained as to the benefits of strong passwords and other security mechanisms, they are more apt to effectively use the training and better deal with any inconveniences of the extra security mechanisms that may be in place such as complex, strong password requirements.

Web Security

The Internet is a powerful tool for individuals and businesses alike, however, it is filled with dangers from a security perspective. Attackers often use various websites or malicious links to compromise end-users. Attackers may use URL phishing or misspelled domains to trick users into visiting sites with the sole intent and purpose of infecting their end-user system.

Helping end-users with security awareness training to help them understand the dangers of the web, how to recognize dangerous URLs, paying attention to URL redirects, and immediately notifying IT if anything suspicious happens on their system when browsing the Internet are great ways to bolster internal security by helping employees recognize the dangers.

Wireless Networks

The networked world we live in today is becoming inherently more “wireless” than ever with connectivity options to various networks presented to end-users and company employees wherever they go. Wireless networks by their very nature are less secure than wired networks since wireless network communication is literally sent “over-the-air” for anyone to see. While various encryption techniques may be used to secure wireless traffic, the fact that anyone has access to wireless communication gives way to caution.

Attackers can perform “sniffing” of traffic on wireless networks and potentially find vulnerabilities in the systems, hardware, or other technologies used or even legacy protocols and security mechanisms in place. Employees need to be trained to be extra cautious when it comes to using Wi-Fi networks, especially in public locations to access sensitive corporate data.

Malware Including Ransomware

Ransomware is tremendously concerning as it can literally shut down an entire corporation in little time. We only have to think back to the WannCry and Petya outbreaks that rendered hundreds of organizations in an inoperable state from hours to days.

Ransomware is often listed as the number one threat to organization data today as it can wreak havoc on normal business operations and lead to businesses needing to enact data protection plans very quickly to recover data. Often, ransomware infections bring to light (unfortunately) holes in the data protection plan or inoperable backups that have not been protecting data for months or longer without notice. This can lead to a serious situation for businesses affected.

Security awareness training including ransomware training needs to be included to help employees use extreme caution when it comes to downloading suspicious files or clicking links leading to unknown locations. Educating users on the real threat that ransomware poses can help to instill caution and help employees to scrutinize downloads and other activities very closely.

Security awareness training can be very successful at helping to thwart disastrous consequences to an organization’s data as was noted by one experience where security awareness training helped to stop a ransomware infection before it started.

Security Awareness Including Public Cloud Environments

With more and more organizations moving services and data to the public cloud by way of various Software-as-a-Service platforms such as Google G Suite and Microsoft Office 365, the more security awareness training needs to take public cloud environments into account. Attackers are targeting public cloud environments more than ever before since this is the continuing trend in enterprise IT environments. Public cloud is certainly where core infrastructure services such as business email will be housed for more organizations over the coming years.

Many of the same threats to on-premises infrastructure exists in the public cloud. “RansomCloud” is a new wave of ransomware that is specifically designed for public cloud environments like Office 365 where cloud email and other services can be held hostage in the same way that traditional ransomware can encrypt and prevent access to on-premises files.

As we have mentioned many times before, there are gross misconceptions about public cloud environments being immune to ransomware infection and other malware-related threats. However, this is simply not true.

Kevin Mitnick has demonstrated this type of attack many times showing how cloud emails can be encrypted by the bad guys using similar ransomware methods as with on-premises attacks. Using very authentic-looking emails, attackers can often trick end users into clicking on links thinking it is a legitimate communication.

Below a message regarding “AntiSpam PRO” can lure the end-user into clicking the link contained in the email, thus infecting all the emails in the cloud hosted Office 365 inbox.

An example of ransomware infected email masquerading as legitimate communication from Microsoft

An example of ransomware infected email masquerading as legitimate communication from Microsoft (Image courtesy of KnowBe4)

After the unsuspecting end-user clicks on the link and grants permissions to the attacker, emails are encrypted and a message is received after the damage has been inflicted, detailing the infection and what the user has to do to get the messages back.

Message detailing the encryption of emails and the ransom the end user must pay to retrieve them

Message detailing the encryption of emails and the ransom the end user must pay to retrieve them (Image courtesy of KnowBe4)

Even in the realm of public cloud environments, as Kevin Mitnick explains, end users must Stop, Look, and Think before clicking links that can potentially result in ransomware infection.

Security Equals a Good Mix of Security Awareness and Technology

An organization that looks to solve the security challenges presented today will not be successful relying on simply one or the other (Security awareness training or technology solutions) to solve today’s security problems. It takes both components to comprise a strong solution to security threats. As we have focused mostly on the security awareness side of the security solution, let’s look at the technology that can help along with security awareness in conquering the security challenges presented in public cloud environments.

Aside from end-users performing the very important steps of “stop, look, and think” that Kevin Mitnick mentions, organizations need technology in place for when end-user don’t stop, look, and think. Spinbackup is the security solution that businesses need to conquer the often-monumental challenge of securing public cloud environments.

Training employees is a large part of the battle. However, when the bad guys make it through, technology solutions need to kick into motion to limit and stop the damage done. Spinbackup is an API-based, machine learning enabled CASB that helps to make this process ironclad by providing the following security features to organizations housing business-critical data in the cloud:

  • Ransomware Protection and Automatic remediation of ransomware infected files.
  • Insider Threat Control – Spinbackup protects organizations from insider threats and helps to pinpoint these quickly and accurately with powerful machine learning technology. When security awareness training isn’t enough and an end-user makes the wrong decision, Insider Threats Protection kicks in and protects the organization.
  • Data Leak Protection – Prevents data from unauthorized leak outside the organization.
  • Sensitive Data Protection – Prevents sensitive data from being exposed inadvertently or intentionally.
  • Automatic backups – On top of the security mechanisms provided, Spinbackup has organizations covered by providing automatic backups of services and data stored in both G Suite and Office 365. The full-featured enterprise backup provides unlimited versioning, recovery, and migration functionality to organizations needing to recover or migrate data.

Wrapping Up

An often-overlooked aspect of good security involves the human aspect. Security awareness training helps to implement “security” by empowering employees with the knowledge and training needed to effectively protect themselves and, by extension, the business from data loss, ransomware, data leak, and many other extremely worrisome outcomes. Really, cybersecurity is severely handicapped when either the security awareness (human factor) or the technology are not given the proper attention. Public cloud environments are not immune to these dangers.

Helping employees to realize the dangers that exist in the cloud as well as utilizing robust security tools like Spinbackup provides a perfect marriage of awareness and Automatic backups – on top of the security mechanisms provided, Spinbackup has organizations covered by providing automatic backups of services and data stored in both G Suite and Office 365. The full-featured enterprise backup provides unlimited versioning, recovery, and migration functionality to organizations needing to recover or migrate data. Technology that allows effectively meeting today’s security challenges head-on. Help employees to “Stop, Look, and Think” and rely on Spinbackup when they don’t!

P.S.: This security guide will help you to stay protected and enhance the level of your G Suite environment!

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. We won't track your information when you visit our site. But in order to comply with your preferences, we'll have to use just one tiny cookie so that you're not asked to make this choice again.Learn more about our use of cookies.